Additional Materials:

Contact:

The Federal Bureau of Investigation (FBI) is investing more than a billion dollars over 3 years to modernize its information technology (IT) systems. The modernization is central to the bureau's ongoing efforts to transform the organization. GAO was asked to determine whether the FBI has (1) an integrated plan for modernizing its IT systems and (2) effective policies and procedures governing management of IT human capital, systems acquisition, and investment selection and control.

Although improvements are under way and planned, the FBI does not currently have an integrated plan for modernizing its IT systems. Each of the bureau's divisions and other organizational units that manage IT projects performs integrated planning for its respective IT projects. However, the plans do not provide a common, authoritative, and integrated view of how IT investments will help optimize mission performance, and they do not consistently contain the elements expected to be found in effective systems modernization plans. FBI officials attributed the state of modernization planning to, among other things, the bureau's lack of a policy requiring such activities, which is due in part to the fact that the responsibility for managing IT--including modernization planning--has historically been diffused and decentralized. The FBI's CIO recognizes these planning shortfalls and has initiated efforts to address them. Until they are addressed, the bureau risks acquiring systems that require expensive rework to be effectively integrated, thus hampering organizational transformation. The FBI has established policies and procedures governing IT human capital that are consistent with best practices used by leading private and public organizations. However, the bureau's policies and procedures governing systems acquisition, which are developed on a decentralized basis by the divisions and other units that manage IT projects, include some but not all best practices. In addition, the bureau's investment management policies and procedures, which started in 2001, have been evolving and progressing slowly toward alignment with best practices. According to FBI officials, the state of the bureau's acquisition and investment management policies and procedures is due to a number of factors, including diffused and decentralized IT management authority. The CIO recognizes these problems and has efforts planned and under way to strengthen policies and procedures. Until these efforts are completed, the bureau increases the risk that it will experience problems delivering promised IT investments on time and within budget, which, in turn, could adversely affect systems modernization and organizational transformation.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: Concurrent with the bureau's efforts over the last several years to establish and implement corporate IT management controls, it has taken steps to identify and prioritize proposed IT investments using various tools and methods, such as its IT Investment Ranking Score Sheet. According to FBI IT investment management guidance, IT investments are scored based on criteria, including the four categories of spending that we recommended, and those investments that score relatively low (i.e., are ranked at the bottom of the sheet) are either not selected for funding or are treated as lower priorities and funded accordingly.

Recommendation: Until the bureau's IT management foundation is completed and available to effectively guide and constrain the hundreds of millions of dollars it is spending on IT investments, the Director of the FBI should direct the heads of the divisions to limit spending on their respective IT investments to cost-effective efforts that are congressionally directed; take advantage of near-term, relatively small, low-risk opportunities to leverage technology in satisfying a compelling bureau need; support operations and maintenance of existing systems critical to the FBI's mission; and support establishment of the FBI's IT management foundation, including the development of a modernization blueprint (enterprise architecture), initiation of integrated project planning, and development of IT management policies and procedures for systems acquisition and investment selection and control.

Comments: Consistent with the Director's 2004 announcement and FBI's IT investment management guidance, the CIO is responsible for developing, implementing, and managing the IT investment management process, and is the chair of the bureau's Investment Management Board, which is the bureau's corporate body for reviewing and approving IT investments. Based on our analysis of FBI documentation, the CIO is actively involved in overseeing the bureau's IT investments and the progress of IT programs and initiatives.

Recommendation: The FBI Director should provide the CIO with the responsibility and authority for managing IT bureauwide, including budget management control and oversight of IT programs and initiatives.

Comments: The FBI has developed and issued enterprise architecture development, maintenance, and implementation policies, and it has issued incremental versions of its enterprise architecture, to include transition plans for investing in IT. The latest version of the architecture and transition plan is dated June 2006. The purpose of this transition plan is to provide an integrated roadmap for modernizing and investing in IT in a way to effectively and efficiently migrate from the bureau's current IT environment to its target IT environment.

Recommendation: The FBI Director, with assistance from the CIO, should ensure that future and ongoing modernization plans and efforts are effectively integrated by establishing a bureauwide requirement (policy) to develop an integrated plan (or set of plans) for modernization investments.

Comments: The FBI has developed and issued policies to guide the planning and scope of its IT modernization efforts. For example, the bureau has issued enterprise architecture development, maintenance, and implementation policies, which provide for the content and scope of the architecture, including the modernization transition plan for moving from the current architecture environment to the target architecture environment. This transition plan is being used to, among other things, inform the timing, sequencing, and integration of system investments. Further, the bureau has issued its Life Cycle Management Directive, which defines an IT systems development methodology that includes controls and mechanisms for aligning investments to the architecture and transition plan.

Recommendation: The FBI Director, with assistance from the CIO, should ensure that future and ongoing modernization plans and efforts are effectively integrated by developing corresponding guidance on plan contents and scope.

Comments: The FBI has continued to devote a range of resources, including human capital, management tools, and contractor support, to assist it in implementing its transition plan, which is an integrated and sequenced roadmap for moving from its current to its target architectural environment. For example, on its Sentinel program, which is included in the transition plan, we reported in 2006 that it had fully staffed its program office and was employing extensive contract management support. Additionally, we reported in 2007 and 2008 that the program office was employing key program management tools, such as those for managing the system's configuration and for managing and controlling the system's requirements.

Recommendation: The FBI Director, with assistance from the CIO, should ensure that future and ongoing modernization plans and efforts are effectively integrated by ensuring the appropriate resources and training are available to implement policy and guidance.

Comments: The FBI has issued enterprise architecture development and maintenance policies and guidance that assign responsibility and accountability for developing modernization plans, including responsibility and accountability for developing the FBI's enterprise architecture, which includes a modernization transition plan for moving from the current to the target architecture environment. Further, the bureau has issued its Life Cycle Management Directive and its IT Investment Management guidance, which assigns responsibility and accountability for implementing the modernization transition plan and developing plans for individual IT investments. Among other things, it establishes a bureau-wide body, chaired by the CIO, for reviewing and approving plans for individual IT investments throughout their lifecycles.

Recommendation: The FBI Director, with assistance from the CIO, should ensure that future and ongoing modernization plans and efforts are effectively integrated by assigning responsibility and accountability for developing the plans.

Comments: The FBI has taken steps in ensure that the CIO reviews the bureau's modernization plans and efforts for adherence to policy and alignment with the FBI enterprise architecture. Specifically, the modernization plan is part of the enterprise architecture, providing an roadmap for transitioning from the current to the target architectural environment. Further, the FBI's IT Information Management (ITIM) governance document, signed by the FBI Director, charges the CIO with responsibility for the development, implementation, and management of the ITIM process within the FBI, to include an Investment Management Board, which is a senior-level, bureau-wide committee chaired by the CIO to review IT investments for, among other things, alignment with the FBI's enterprise architecture.

Recommendation: The FBI Director, with assistance from the CIO, should ensure that future and ongoing modernization plans and efforts are effectively integrated by assigning responsibility and accountability to the CIO for reviewing the plans to ensure adherence to the policy and guidance, including alignment with the bureau's enterprise architecture.

Comments: The FBI has established a range of policies, procedures, and guidance for systems acquisition and investment management selection and control, such as those in its 2006 Life Cycle Management Directive, 2007 Project Manager's Handbook, and 2004 Investment Management Guide. With regard to systems acquisition, these policies and procedures address configuration management, quality assurance, requirements management, and risk management in a manner that reflects published guidance and other leading practices and thereby addresses the weaknesses that we reported. Moreover, our analysis of the FBI's Sentinel program shows that these polices and procedures are being implemented.

Recommendation: The FBI Director, with the CIO's assistance, should take action to ensure that the bureau establishes effective policies and procedures for systems acquisition and investment management selection and control. With regard to systems acquisition, the Director of the FBI should correct the weaknesses in configuration management, project management, quality assurance, requirements development and management, and risk management policies and procedures described in this report's body and detailed in appendix III and implement the resulting changes accordingly.

Comments: The FBI has established a range of bureau-wide policies, procedures, and guidance for systems acquisition and investment management selection and control that apply FBI-wide. These include the bureau's 2006 Life Cycle Management Directive, 2007 Project Manager's Handbook, and 2004 IT Investment Management Guide. In 2007 and 2008, we reported that these policies, procedures, and guidance collectively addresses leading practices, and were largely being implemented on the Sentinel program. While we could not verify the extent to which these policies, procedures, and guidance are being implemented across each of the FBI's divisions, we consider this recommendation to be largely implemented because the FBI has required their use bureau-wide.

Recommendation: The FBI Director, with the CIO's assistance, should take action to ensure that the bureau establishes effective policies and procedures for systems acquisition and investment management selection and control. With regard to systems acquisition, the Director of the FBI should assess the other divisions that manage IT investments to determine whether their policies and procedures align with best practices and, to the extent there are gaps, correcting them.

Comments: The FBI has established a range of policies, procedures, and guidance for systems acquisition and investment management selection and control, such as those in its 2004 IT Investment Management Guide. Our analysis of this guide, as well as reports from the Department of Justice Inspector General, show that this guide reflects leading investment management practices, including GAO's ITIM framework.

Recommendation: The FBI Director, with the CIO's assistance, should take action to ensure that the bureau establishes effective policies and procedures for systems acquisition and investment management selection and control. With regard to IT investment management, the Director of the FBI should develop the bureau's investment management processes in accordance with key IT investment decision-making best practices, such as GAO's IT investment management framework.

Comments: The FBI has established a range of policies, procedures, and guidance for systems acquisition and investment management selection and control, such as those in its 2006 Life Cycle Management Directive, 2007 Project Manager's Handbook, and 2004 IT Investment Management Guide. Moreover, the FBI has moved swiftly in implementing in implementing them. For example, shortly after publishing its IT Investment Management Guide, the bureau established its Investment Review Board, chaired by the CIO, and began reviewing each investment against defined investment criteria. Further, our reviews of the FBI's Sentinel program shows that it has quickly adopted the policies and procedures that have been established, and has even identified , and acted on, other effective acquisition and investment management practices to provide for their speedy implementation out ahead of evolving policies, procedures, and guidance.

Recommendation: The FBI Director, with the CIO's assistance, should take action to ensure that the bureau establishes effective policies and procedures for systems acquisition and investment management selection and control. With regard to IT investment management, the Director of the FBI should identify, and acting on, options for speeding up their implementation.